{"containers": {"cna": {"affected": [{"product": "buildah", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."}]}], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-03T18:26:21", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"}, {"tags": ["x_refsource_MISC"], "url": "https://ubuntu.com/security/CVE-2021-3602"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-3602", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "buildah", "version": {"version_data": [{"version_value": "Affects v1.21.2, v1.20.0, v1.19.8, v1.18.0, v1.17.1, v1.16.7, Fixed in v1.21.3, v1.19.9, v1.17.2, v1.16.8, v1.22.0 and above."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"}, {"name": "https://ubuntu.com/security/CVE-2021-3602", "refsource": "MISC", "url": "https://ubuntu.com/security/CVE-2021-3602"}, {"name": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj", "refsource": "MISC", "url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"}, {"name": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0", "refsource": "MISC", "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:08.065Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ubuntu.com/security/CVE-2021-3602"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3602", "datePublished": "2022-03-03T18:26:21", "dateReserved": "2021-06-15T00:00:00", "dateUpdated": "2024-08-03T17:01:08.065Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CE147BD-61D6-43D8-86A8-3C3CB16D200F", "versionEndExcluding": "1.16.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6A83393-DA38-4D39-93E0-D238F6955564", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "matchCriteriaId": "06B356AF-631F-4568-B0A1-D43673CD212D", "versionEndExcluding": "1.19.9", "versionStartIncluding": "1.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:buildah_project:buildah:*:*:*:*:*:*:*:*", "matchCriteriaId": "69D2AE6F-D695-4079-82CF-0C9E532484B5", "versionEndExcluding": "1.21.3", "versionStartIncluding": "1.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."}, {"lang": "es", "value": "Se ha encontrado un fallo de divulgaci\u00f3n de informaci\u00f3n en Buildah, cuando son construidos contenedores usando el aislamiento chroot. Los procesos que son ejecutados en las construcciones de contenedores (por ejemplo, los comandos RUN de Dockerfile) pueden acceder a las variables de entorno de los procesos padres y abuelos. Cuando es ejecutado en un contenedor en un entorno CI/CD, las variables de entorno pueden incluir informaci\u00f3n confidencial que fue compartida con el contenedor para ser usada s\u00f3lo por el propio Buildah (por ejemplo, las credenciales del registro del contenedor)"}], "id": "CVE-2021-3602", "lastModified": "2022-10-24T14:22:45.203", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T19:15:08.107", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://ubuntu.com/security/CVE-2021-3602"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Blake Burkhart for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:4154", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8050020210921082437.faa19cc5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4221", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:2.0-8050020210817115648.faa19cc5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4222", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:3.0-8050020210915114620.faa19cc5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "buildah: Host environment variables leaked in build container when using chroot isolation", "id": "1969264", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).", "An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials)."], "name": "CVE-2021-3602", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-docker-builder", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2021-07-15T14:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3602\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3602\nhttps://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"], "statement": "OpenShift Container Platform 4's builder container is not vulnerable to this flaw as it uses OCI isolation (i.e. using runc) and does not use chroot isolation.", "threat_severity": "Moderate", "upstream_fix": "buildah 1.21.3, buildah 1.19.9, buildah 1.17.2, buildah 1.16.8"}